Multi-party approval (MPA) is a security feature for a Google Ads account designed to protect your account from unauthorized activity by requiring a second account administrator to verify sensitive changes. Sensitive actions like adding users or changing user roles will prompt other administrators of your account to approve these changes.
This guide explains how multi-party approval works and how to manage multi-party approval requests in your account.
Get started with multi-party approval
Multi-party approval secures your account by requiring another administrator's approval for sensitive actions. This can help to block hijacking attempts and unauthorized actions from occurring on your account.
Sensitive actions like adding a new user, removing an existing user, or changing user roles will require approval from a second administrator to complete. As security needs evolve, additional actions may also require this approval process.
About the approval process
When you make a sensitive change to a Google Ads account, a request is sent to all administrators within the hierarchy for approval. All eligible account administrators within your hierarchy will receive an in-product notification to review these changes.
Direct administrators and owner managers of the requester receive individual notifications for each request, while others in the hierarchy receive a combined digest for multiple requests. Since emails aren't sent for these approvals, it's important to check your in-product notifications regularly.
Account administrators have 20 days to approve or reject a request before it expires. Requests automatically expire if they aren't acted upon within 20 days. If the action is still necessary, restart the process to generate a new approval request.
There are three request statuses for multi-party approval. These statuses will show next to any actions taken in the account:
- Complete
- The action was reviewed and approved by an administrator. The action takes effect and the initiator is notified.
- Denied
- The action was reviewed and rejected by an administrator. The proposed action is blocked.
- Expired
- If no action is taken within 20 days, the action is rejected.
Review multi-party approval requests
You can review change requests on the Access and security page in your Google Ads account.
Approve or reject a request
After a request is submitted, another administrator must review and accept the request for it to take effect. Here's how to review your pending requests:
- Go to Access and security within the Admin menu.
- In the Pending invitations menu, select Review request.
- Review the details of each request. Select Approve to approve the request, and Deny to reject it. You can manage added users in the Users tab under Access and security.
Revoke a request
If you need to revoke a pending request that you initiated, follow the following steps. Note that you can only revoke a request if it hasn't already been approved or denied by another administrator.
- Go to Access and security within the Admin menu.
- In the Pending invitations menu, select Revoke Request next to a request you'd like to cancel.
This will delete the notifications associated with the request for all other account administrators.
Supported actions in the Google Ads API
The Google Ads API supports multi-party approvals for three actions:
- Inviting a new user to an account
- Changing the user access level of an existing user
- Removing an existing user from the account
A multi-party authorization request can be resolved or revoked using the
MultiPartyAuthReviewService
service.
Approve or reject a request
Another administrator must review and accept or reject the request for it to
take effect. To approve or reject a request, call the
MultiPartyAuthReviewService.ResolveMultiPartyAuthReview
method using the credentials of the user who is authorized to resolve the
request. This is typically a second administrator of the account.
Populate a
ResolveMultiPartyAuthReviewOperation
object with:
resource_name: The resource name of the multi-party review request to be resolved.status: Set toAPPROVEDto approve the request, orREJECTEDto reject the request.
Note that only an authorized user other than the original requester can approve or reject a request.
Revoke a request
If you need to revoke a pending request that you initiated, you can do so by
calling the
MultiPartyAuthReviewService.ResolveMultiPartyAuthReview
method.
This operation is similar to the approval workflows, except that this must be
done with the credentials of the user who created the original request.
Populate a
ResolveMultiPartyAuthReviewOperation
object with:
resource_name: The resource name of the multi-party review request to be revoked.status: Set toREVOKED.
Retrieve pending requests
You can retrieve the list of pending multi-party approval requests by running
the following query using the
GoogleAdsService.Search or
SearchStream service:
SELECT
multi_party_auth_review.resource_name,
multi_party_auth_review.multi_party_auth_review_id,
multi_party_auth_review.creation_date_time,
multi_party_auth_review.request_user_email,
multi_party_auth_review.operation_type,
multi_party_auth_review.justification,
multi_party_auth_review.target_resource,
multi_party_auth_review.customer_user_access_review.old_customer_user_access,
multi_party_auth_review.customer_user_access_review.new_customer_user_access,
multi_party_auth_review.customer_user_access_invitation_review.new_customer_user_access_invitation
FROM multi_party_auth_review
WHERE multi_party_auth_review.review_status = 'PENDING'